Trusted by 7 of the Largest Financial FirmsTrusted by 4 of the Top Telco ProvidersTrusted by 8 of the Largest RetailersTrusted by 6 of the Leading Global Tech CompaniesTrusted by 7 of the Leading Travel & Transportation Groups

Top 5 Risks of "Dirty" Firewalls

Jun 06, 2017 11:00 am - 12:00 pm CST

Firewall rules are notoriously complex and voluminous in nature. Even small organizations have multiple firewalls and significant complexity. But large organizations are overwhelmed.

Besides classic firewalls, next-gen firewalls, VPN, reverse-NAT and remote access servers, each switch and router with rules acts as a firewall. Firewall proliferation is obviously driven first by number of physical sites – a direct correlate to growth for many organizations. But your number of firewalls also increases proportional to how fine-grained you attempt to make your network security. Today, perimeter firewalls between the Internet and internal network are just the beginning. Here’s a few of the special segments within many networks that are or should be protected by internal firewalls:

PCI requires controls for all devices within the “Cardholder Data Environments”

Red forest domain controllers and secure administrative workstations

Management network of hyper-visors and related systems (e.g. vCenter)

Guest/visitor networks

SCADA networks

Quarantine segments

Control plane networks for cloud and service providers

DMZs

Internal segmentation will keep growing because of the constant threat of persistent attackers. With the intensity and sophistication of today’s attacks, we assume there’s always someone loose on your network. Internal network controls are critical for denying them complete freedom of movement to run amok.

But along with more firewalls, you also end up with more rules. In preparing for this real-training-for-free session, I was talking to a firewall specialist this week; his customers routinely deal with 40,000 rules on a single firewall. 100 rules is enough to cause confusion, let alone thousands. Part of the problem, he stated, is that rules go in but don’t go out.

Nearly all firewalls are designed with a “positive security model,” meaning that unless a rule expressly permits access, that access is denied. This design should limit access only to what is necessary, but in practice, firewall management is very complicated, and significantly more access is permitted than is necessary.

Complexity by itself is not a security issue. However, excessive complexity has implications that are a problem. Not surprisingly, there is a strong correlation between the complexity of the firewall and the number of mistakes in the policy. As complexity increases, mistakes increase. Unfortunately, each mistake adds unnecessary complexity, resulting in even further mistakes. Over the years, these problems compound upon one another, resulting in an unmanageable policy, deteriorated firewall performance, increased risk and increased management costs.

Ironically the more secure you try to be, the more complexity you create, which in turn introduces new risks. In this real-training-for-free event, we will discuss the Top 5 risks the team at FireMon, a leading firewall management software vendor, finds when assessing an organization’s firewalls.

Here’s the list of risks we’ll discuss:

Unused rules – those that have not been trafficked for a set amount of time are no longer necessary

Outdated rules – those rules that were opened for a specific reason that is no longer necessary

Non-compliant rules – those that do not meet internal or regulatory best practices

Permissive source/destination addresses – rules that are overly permissive with their access

A network that is more responsive and agile to changing business needs.

Ideally you need to be able to regularly perform 3 types of analysis

Rule usage analysis tracks frequency of use for firewall rules

Traffic flow analysis – shows you the paths different applications are taking or have taken across your network

Access path analysis – shows every available access path across the network that traffic could take

Rule usage analysis is critical for finding out if unnecessary open access exists on the network. Unnecessary access equals unnecessary risk.

Traffic flow analysis is critical for determining the impact of:

Removing allow rules

Adding deny rules

Monitoring and forensics

Access path analysis is indispensable for:

Validating network security controls

Determining if new rules are really necessary

Identifying unintended access paths

Finding permissive rules

FireMon, will briefly show you how their technology helps you manage your global, heterogeneous fleet of firewalls from a single pane of glass to track changes, clean up rules, analyze traffic flow over time and visualize access paths.